Configuring Active Directory 2012 R2 Management Pack with SCOM 2012 R2

• Create a Domain Admin Service Account and credentials wont be shared with the Monitoring Team.
• Where they can push agents and update them.

Step 1:

Make sure Allow Log on locally is set to administrators by default in default domain controllers policy.

Step 2:

• Now you can push the SCOM Agent using the discovery wizard.
• Use the same account for Run as . Once its discovered.

Step 3:

Login to the Domain Controllers where we are going to monitor – Disable AD integration

'SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\'

EnableADIntegration REG_DWORD to ‘0’.

Step 4:

SCOM Console – Administration – Run as Configuration – Accounts Create a Run As Account called Privileged Monitoring.

Get the Domain Controllers alone added.

Step 5 –

Assign the Privileged monitoring account in the AD MP Account profile.

Step 6 –

Login to Domain Controllers – Open Power-Shell – Run as administrator –

cd "C:\Program Files\Microsoft Monitoring Agent\Agent"

"C:\Program Files\Microsoft Monitoring Agent\Agent" .\hslockdown.exe SCOMGROUNAME /l

If you see SYSTEM is on Denied List.

cd "C:\Program Files\Microsoft Monitoring Agent\Agent"

.\hslockdown.exe SCOMGROUPNAME /R "NT AUTHORITY\SYSTEM"

Step 7 –

Restart Microsoft Monitoring Agent on Domain Controllers.

Make Sure Agent restarts without any Errors/Warnings.

Now you should see.

NOTE : For Active Directory Topology view to Work . Install .Net 3.5 on all SCOM Management Servers

Reference Events –

Log Name: Operations Manager
Source: HealthService
Event ID: 2119
Task Category: Health Service
Level: Warning
Computer: DS002.careexchange.in

Description:
Active Directory Integration has been disabled because this Health Service is running on a Domain Controller. To suppress this message, set the value

'SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\EnableADIntegration' 

in the registry to ‘0’.